October 11, 2023 at 06:42AM
The US Cybersecurity and Infrastructure Security Agency (CISA) has added five security vulnerabilities to its Known Exploited Vulnerabilities catalog. These include an Adobe Acrobat and Reader flaw that can be exploited for remote code execution, an out-of-bounds write flaw in Cisco IOS and IOS XE, two zero-days impacting Skype for Business and WordPad, and a zero-day in the HTTP/2 protocol. CISA is urging organizations, particularly federal agencies, to identify and patch these vulnerabilities within 21 days.
Summary of Meeting Notes:
– The US cybersecurity agency CISA has added five new security defects to its Known Exploited Vulnerabilities catalog.
– One of the vulnerabilities is an Adobe Acrobat and Reader flaw (CVE-2023-21608) that can be exploited to achieve remote code execution.
– Adobe released patches for this flaw in January 2023, but proof-of-concept (PoC) exploits and technical write-ups have been published, creating opportunities for attacks.
– Another vulnerability added is an out-of-bounds write flaw in the Group Encrypted Transport VPN (GET VPN) feature of Cisco IOS and IOS XE (CVE-2023-20109).
– Microsoft released patches for two zero-day vulnerabilities impacting Skype for Business (CVE-2023-41763) and WordPad (CVE-2023-36563), which were also added to the KEV catalog.
– The fifth vulnerability added is a zero-day in the HTTP/2 protocol that has been exploited in large distributed denial-of-service (DDoS) attacks.
– Federal agencies have 21 days to identify vulnerable products and apply patches and mitigations as per the Binding Operational Directive (BOD) 22-01.
– CISA encourages all organizations to review the KEV catalog and prioritize remediation of the security defects or discontinue the use of vulnerable products if mitigations are not available.